Presented at
DEF CON 32 (2024),
Aug. 9, 2024, 5:30 p.m.
(45 minutes).
Over the past decade, infotainment systems experienced a growth in functionality, broader adoption and central incorporation into the vehicle architecture. Due to the ever-growing role of wireless protocols such as Bluetooth and a known lack of patches alongside the difficulty of patch installation, this poses a new attack surface and a genuine threat to the users. At the same time, the tools and methodologies required for testing are scattered across the Internet, absent and need a rigorous setup.
In this talk, we share a comprehensive framework BlueToolkit to test and replay Bluetooth Classic vulnerabilities. We provide practical information and tips. Additionally, we release new exploits and a privilege escalation attack vector.
We show how we used the toolkit to find 64 new vulnerabilities in 22 modern cars and the Garmin Flight Stream flight management system used in several aircraft types.
Our work equips Bluetooth hackers with necessary information on novel implementation-specific vulnerabilities that could be used to steal information from target cars, establish MitM position or escalate privileges to hijack victims’ accounts stealthily.
We believe our research will be beneficial in finding new vulnerabilities and making Bluetooth research more accessible and reproducible.
0. D. Antonioli and M. Payer. On the insecurity of vehicles against protocol-level bluetooth threats. In 2022 IEEE Security and Privacy Workshops (SPW), pages 353–362, Los Alamitos, CA, USA, May 2022. IEEE Computer Society.
1. BlueToolkit [link](https://github.com/sgxgsx/BlueToolkit) (The tool will be uploaded here, but won’t have all exploits which will only be released after the DEF CON talk)
2. Cross-Sectional Analysis of the Bluetooth Stack of Modern Cars - (The link will be updated)
3. Wenjian Xu. Stealthily Access Your Android Phones: Bypass The Bluetooth Authentication. [link](https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf), 2020.
4. Tyler Tucker, Hunter Searle, Kevin Butler, and Patrick Traynor. Blue’s clues: Practical discovery of non-discoverable bluetooth devices. In 2023 IEEE Symposium on Security and Privacy (SP), pages 3098–3112, 2023.
5. Maximilian von Tschirschnitz, Ludwig Peuckert, Fabian Franzen, and Jens Grossklags. Method confusion attack on bluetooth pairing. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1332–1347, 2021.
6. Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation of Bluetooth BR/EDR. In USENIX Security Symposium (SEC), August 2019
Presenters:
-
Vladyslav Zubkov
- Bug Bounty Hunter
Vladyslav Zubkov (aka yso and schwytz) is a bug bounty hunter. He is consistently among the top hackers at live hacking events organized by Meta, Intel, Louis Vuitton, Intigriti and YesWeHack. His interests include vulnerability research, application security, red teaming, bug bounty hunting, developing tools and proactively securing systems.
-
Martin Strohmeier
- Senior Scientist at Cyber Defence Campus
Martin Strohmeier is a Senior Scientist at the Swiss Cyber Defence Campus, where he is responsible for vulnerability research programmes into aircraft, satellites and cars. His work was published in all major systems security conferences, totalling more than 100 publications to date. He has also spoken previously at the DEFCON Aerospace Village and co-organized CTFs there.
Similar Presentations: